PSD2 Strong Customer Authentication


(Colin Robinson) #1

New internet checks
(Andre Borie) #2

a problem if you don’t have coverage

WiFi calling was a thing at least since the iPhone 5s (2013!)

Maybe the article should blame the mobile carriers that still don’t support it instead of blaming 3D-Secure? :joy:


#3

payment providers will be required to ask for an extra form of verification, usually sent as a one-time password by text to your mobile phone

Nice. Only 10 years behind everyone else. SMS one time password have been depreciated and are no longer recommended as best practice for things like this.

Not all phones support WiFi calling. And WiFi calling doesn’t always work when it is supported due to incompatibilities with the WiFi devices they are connected to, poor internet connections, etc.

The best way probably is some in app method. Even Monzo seem to have issues getting that right, its clunky and inconvenient.


(Edward) #4

My biggest question (the PSD2 link in the article is broken) would be why offline 2 factor authentication devices (which many banks have already distributed for their customer-initiated online payments) would not also work for online payments. Even if there were some ambiguous unease about just outright using OAuth-type scannable QR codes and a software token generator, hardware generators (e.g. RSA tokens) are pretty standard fare.


#5

You already can. The regulation doesn’t specifically state they have to phone you by the looks of it. and the article says that it could be other methods like bio-metrics.

this looks like its just a change in the threshold of what amounts trigger a check.


(Andre Borie) #6

Not all phones support WiFi calling

Any half-decent phones does. For those that don’t I guess “sorry :man_shrugging:t2:”?

WiFi calling doesn’t always work when it is supported due to incompatibilities with the WiFi devices they are connected to

If your network connection is weird enough not to support Wi-Fi calling then it is defective and you should bring it up to your network administrator, but from experience I’ve never seen Wi-Fi calling fail on a standard residential connection. If it fails you (or your ISP) is doing something weird and it’s up to them to fix it.

poor internet connections

If your connection is really that poor not to allow an SMS to go through over Wi-FI calling then you have bigger problems to worry about - I’d be asking how are you even able to order something online in the first place to require receiving a 3D-Secure SMS.

The best way probably is some in app method

Definitely, this is also better for security as SMS is insecure (although Wi-Fi calling helps here as it comes through a secure IPSec tunnel directly to your mobile carrier). But as a fallback, SMS is a good enough option that is guaranteed to work on any standards-compliant phone & carrier.

Even Monzo seem to have issues getting that right, its clunky and inconvenient.

Just because one company screws it up (and I agree with you here about Monzo) doesn’t mean it can’t be done right.


(Edward) #7

It’s not the phone, most carriers (e.g. O2, Vodafone, etc) do not support SMS over WiFi in the first place. It’s a separate system from WiFi calling.


(Andre Borie) #8

most carriers (e.g. O2, Vodafone, etc) do not support SMS over WiFi in the first place

Which is exactly my point. This is unacceptable in 2018. Also both EE and Three support it just fine, so there’s no excuse for the others not to support it, besides laziness and corner-cutting. It’s not like we’re talking about some kind of cutting-edge rocket-science here.

I wouldn’t blame the banks here. The bank is doing their best to get in touch with you to deliver the authentication code. Your mobile carrier’s job is to make sure whoever tries to get in touch with you actually manages to do so, and this is where they fail miserably.


#9

Not really. WiFi calling outside of iPhones is a reasonably new thing. Add onto that that not all carrier support it (agree, bad carriers). Technology isnt always comparable. Its just poor design, some WiFi APs just don’t deal with it nicely and can cause dropped calls etc.

It’s just a poor option as lots of variables are outside the banks control and its simply not universal enough.

They do it better than most other banks. Just meaning that if its going to apply for smaller purchases then it needs to be better.


(Andre Borie) #10

WiFi calling outside of iPhones is a reasonably new thing

The main problem with Wi-Fi calling on Android is the carriers doing stupid non-standard things meaning you won’t be able to use WI-FI calling unless you use a phone with their customised firmware (often this means you have to buy it from them). Again, a fault of the carriers more than anyone else.

some WiFi APs just don’t deal with it nicely

Possibly, but in this case it should transparently fall back to the mobile network. Even then, issues with Wi-Fi calling shouldn’t affect the SMS part of it (it’s a single packet at the end of the day - if you can’t even get that to go through then you have bigger problems to worry about).


(Scott) #11

I really don’t like this idea, with me when in work (I work in a hospital) so signal is very hit and miss! I use my works computer and phone on WiFi but turn phone on flight mode to save battery as my phone constantly searches for signal and battery would die very quickly, so if I wanted to purchase something my phone wouldn’t get a txt message until I’m outside the hospital. In this day and age I think this is quite daft really, surely there’s a better way to verify than a txt.


#12

If you’ve got wifi off your probably not making an online purchase. That’s what this applies to.

business purchases would go through the business?


(Kevin) #13

Lots of talk about WiFi calling here and SMS. As a Three UK customer I can make and receive calls and SMS over WIFI BUT ONLY if I’ve bought my phone through them. If you have a SIM only contract and a SIM free phone it’s not supported (unless you have an iPhone I believe). I think it’s the same for the other network providers too.


(Kevin) #14

Of course these reports could well be Fake News (well almost) cos it seems that Mastercard for instance has already got your back…